-
Notifications
You must be signed in to change notification settings - Fork 302
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix noir ecdsa verification in acc contract. #1345
Conversation
Whoa, great find! To make sure I understand: does this mean that |
Yes exactly. Hashing the message in ECDSA signature construction is critical for security and efficiency. That's non-negotiable. What could be done is: instead of defining: (I've explained in the PR description as well as a detailed hackmd. Hope that helps.) |
I think that makes sense, so we don't need the extra hash in the contract. Note that this may break the schnorr account contract, since it uses the same base Also, we'll need to make sure we document this properly in noir-lib! |
03698e5
to
fdc8dab
Compare
@kevaundray can you elaborate a bit on why we decided to use |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Just remove the |
Fix minor errors. Remove debug_log dependency. Remove debug_log dependency.
71f88bd
to
44e7dcd
Compare
This issue could have been resolved with 1 loc:
@suyash67 it's actually negotiable.
|
Well, it isn't every day that you find the maintainer of a package you're working with that drops in the conversation. Thanks so much @paulmillr for chiming in, I'm now wondering how you stumbled upon this thread.
Absolutely true, but our goal here was to remove dependencies on third party crypto libraries when possible, and since barretenberg (Aztec's cpp crypto library) covered ecdsa, we wanted to leverage it.
Now this is interesting. Given we'll need to optimise as much as possible in our circuits to reduce user's proving times, maybe it makes sense to keep the |
It's wise to use cpp bindings if your constraints and environments allow it: it's safer and faster. Less deps is also great.
I regularly check noble GitHub dependents and dive into projects and their issues. |
Thanks for your inputs @paulmillr and @spalladino! Well I thought it'd be easy to forge signatures if we use the un-hashed signature construction in ECDSA. Particularly, any signature for message |
Description
resolves #913
Detailed hackmd: https://hackmd.io/9QRzytElQE2sMLf4S7qR1A?view
TLDR: ECDSA signing in bberg and verification in noir has a minor "difference". Signature construction and verification should operate consistently on the message.
The noir ecdsa verification takes in the hashed message$z$ as an argument. So we need to hash the message before calling
std::ecdsa_secp256k1::verify_signature
.The reason this worked with the noble curves package was: in the noble package, the message is never hashed. It is used as is for signing a message. Therefore the noir-ecdsa-verify works as we don't need to hash the message in verification.
Checklist: